From 39fd32c362dcc0e277f5794d0534aee224343ebd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= Date: Sat, 23 Jul 2022 16:37:15 +0200 Subject: [PATCH] wayland: Disconnect signals when Wayland compositor object is finalized Fixes potential use-after-free during mutter shutdown, e.g.: ==993876== Invalid read of size 8 ==993876== at 0x4A4FCA3: meta_wayland_presentation_time_ensure_feedbacks (meta-wayland-presentation-time.c:373) ==993876== by 0x4A3F07F: on_presented (meta-wayland.c:282) ==993876== by 0x661B7E9: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.0) ==993876== by 0x661A922: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.0) ==993876== by 0x4DFF4BC: g_cclosure_marshal_generic_va (gclosure.c:1648) ==993876== by 0x4DFE948: _g_closure_invoke_va (gclosure.c:893) ==993876== by 0x4E17498: g_signal_emit_valist (gsignal.c:3406) ==993876== by 0x4E176BE: g_signal_emit (gsignal.c:3553) ==993876== by 0x51D9DB5: clutter_stage_view_notify_presented (clutter-stage-view.c:1226) ==993876== by 0x499ACD2: frame_cb (meta-stage-view.c:83) ==993876== by 0x499ACD2: frame_cb (meta-stage-view.c:43) ==993876== by 0x50CAA41: notify_event (cogl-onscreen.c:175) ==993876== by 0x50CAA41: _cogl_onscreen_notify_complete (cogl-onscreen.c:545) ==993876== by 0x4A877F5: meta_onscreen_native_notify_frame_complete (meta-onscreen-native.c:211) ==993876== Address 0x24b7be58 is 296 bytes inside a block of size 344 free'd ==993876== at 0x484217B: free (vg_replace_malloc.c:872) ==993876== by 0x4E1F88B: g_type_free_instance (gtype.c:2001) ==993876== by 0x49C793C: meta_context_dispose (meta-context.c:675) ==993876== by 0x4E037E0: g_object_unref (gobject.c:3636) ==993876== by 0x4E037E0: g_object_unref (gobject.c:3553) ==993876== by 0x10F145: glib_autoptr_clear_GObject (gobject-autocleanups.h:27) ==993876== by 0x10F145: glib_autoptr_clear_MetaContext (meta-context.h:32) ==993876== by 0x10F145: glib_autoptr_cleanup_MetaContext (meta-context.h:32) ==993876== by 0x10F145: main (mutter.c:126) ==993876== Block was alloc'd at ==993876== at 0x483F7B5: malloc (vg_replace_malloc.c:381) ==993876== by 0x4B21178: g_malloc (gmem.c:125) ==993876== by 0x4B395C0: g_slice_alloc (gslice.c:1072) ==993876== by 0x4B39C29: g_slice_alloc0 (gslice.c:1098) ==993876== by 0x4E1F544: g_type_create_instance (gtype.c:1901) ==993876== by 0x4E03DFC: g_object_new_internal (gobject.c:2011) ==993876== by 0x4E0538C: g_object_new_with_properties (gobject.c:2181) ==993876== by 0x4E05D40: g_object_new (gobject.c:1821) ==993876== by 0x4A3F864: meta_wayland_compositor_new (meta-wayland.c:585) ==993876== by 0x49C7FA7: meta_context_start (meta-context.c:412) ==993876== by 0x10F065: main (mutter.c:148) Fixes: 2ce3a050f02c ("wayland: Wire up presentation-time machinery") Fixes: 8cff3b84f726 ("wayland/compositor: Process frame callbacks on 'after-update'") Part-of: --- src/wayland/meta-wayland.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/wayland/meta-wayland.c b/src/wayland/meta-wayland.c index 677300d90..dd4628c44 100644 --- a/src/wayland/meta-wayland.c +++ b/src/wayland/meta-wayland.c @@ -445,6 +445,11 @@ static void meta_wayland_compositor_finalize (GObject *object) { MetaWaylandCompositor *compositor = META_WAYLAND_COMPOSITOR (object); + MetaBackend *backend = meta_context_get_backend (compositor->context); + ClutterActor *stage = meta_backend_get_stage (backend); + + g_signal_handlers_disconnect_by_func (stage, on_after_update, compositor); + g_signal_handlers_disconnect_by_func (stage, on_presented, compositor); g_clear_object (&compositor->dma_buf_manager);